When thinking about vendor controls in third-party risk management (TPRM), it’s important to remember that it can often be a two-way process. Complementary User Entity Controls (CUECs), also known as User Control Considerations (UCCs), are controls that the vendor has included within its system, in which the user entity (you) must implement to ensure the vendor’s control objectives are accomplished.
In most cases, the control objectives stated in the description can only be achieved in the correct situation. The CUECs must be suitably designed and operate effectively by your organization, and function in combination with the vendor’s controls.
CUECs are documented within a SOC report in different ways, usually depending on the preference of the vendor and the audit firm performing the SOC review.
Where to Find Complementary User Entity Controls in a SOC Report
- Specific subsection of the description – You can often find the CUECs listed out in the service description section with details on how exactly they relate to the control objectives laid out in the report.
- Tested controls section – You can also find the CUECs within the testing section, where they're usually documented along with the control objectives in which they align.
Of course, finding the CUECs in the report is only part of the battle! Understanding what CUECs mean to your organization is critical because they outline to you (the intended user of the product or service) the roles, responsibilities and obligations you have in ensuring the stated control objectives are effective for your organization.
Common Examples of CUECs in a SOC Report
- Logical Access:
- Account provisioning
- General IT controls and policies
- Account management
- Separation Procedures:
- Timely account removal
- Regular assessment of accounts
- Authorization Policies and Procedures:
- Can ensure that transactions are appropriately authorized and transactions are secure, timely and complete
- Data Transmission Policies and Procedures:
- An appropriate method, such as encryption, can be used to protect data during transmission
You’ve Located the CUECs. Now What?
Knowing about CUECs still isn’t enough. As part of your vendor risk management process, you have to map them back to your own governance documents to ensure that you have controls in place that properly align with your vendor’s expectations. Part of comprehending a vendor’s value in providing a product or service is making sure you can effectively execute your responsibilities.